The fantastic group at overthewire.org have created another wargame called Natas, the description of which is as follows:

Natas teaches the basics of serverside web-security.
Each level of natas consists of its own website located at http://natasX.natas.labs.overthewire.org, where X is the level number. There is no SSH login. To access a level, enter the username for that level (e.g. natas0 for level 0) and its password.
Each level has access to the password of the next level. Your job is to somehow obtain that next password and level up. All passwords are also stored in /etc/natas_webpass/. E.g. the password for natas5 is stored in the file /etc/natas_webpass/natas5 and only readable by natas5.

A big thank you goes out to this group for creating compelling and well-organized wargames for people of any skillset or experience level!

I decided to go ahead and pair the writeups for the first two levels together, since they are very similar, and both very easy.

Saturday, October 27, 2012

I ran across some web-oriented security challenges, and thought I would take a quick break from the Stack the Smash writeups (more of which are coming soon) to create a writeup for these security challenges as they are solved. If you would like to try the challenges for yourself, you can find them here. Thanks to "damo" for setting these challenges up!

Tuesday, October 23, 2012

For the third level of Smash the Stack (IO), we are given both the source code and a binary to work with. As always, we will use the password obtained in the previous writeup to login to the server as 'level3'. Let's take a look and see if we can find a way to extract the password for level 4.

Monday, October 22, 2012

We can use the password found in the previous writeup to log in to the server as the 'level2' user. As always, the levels are in /levels. We can see that there are two possible levels for level2: level2, and level2_alt. For the sake of this post, I will focus on level2, but may update it with the solution for level2_alt later.

Sunday, October 21, 2012

One of the best ways to either learn new exploitation techniques or practice ones you already understand is through events called Wargames, otherwise known as "Capture the Flags" (CTFs). There are two common types of CTFs: a typical "Offensive/Defensive" strategy, in which teams are simultaneously attacking each other's networks in attempt to capture their flag, and a "Jeopardy", or "Offense Only", type in which all teams are trying to solve problems to obtain the same flag.

In addition to this, CTFs can be further classified as either 'ongoing', in which participation is not limited to a small time frame, or 'Event Based', in which participants have a limited time (usually a few days) to attempt to capture as many flags as possible. As an example, the recent CSAW CTF (for which therearewriteups on this blog) is considered a Jeopardy-style Event CTF because participation was limited to a weekend.

Now, with the introduction out of the way (see the end of the post for misc. CTF resources), the following is a writeup for level 1 of the ongoing Jeopardy-style CTF called Smash the Stack - IO. I have tried to make the writeup comprehensive for those that may have never participated in a CTF, or do not have much experience reversing binaries.

Tuesday, October 2, 2012

As mentioned in a previous post, the CSAW CTF Quals also had Networking challenges, in which contestants were given a packet capture file in which to find the key.

There were four networking challenges which ranged from 100 to 400 points each. Here are the writeups for the only two that I finished during the CTF.

Networking 100 - telnet.pcap

For this challenge, we were given a packet capture containing a telnet session. The first thing we want to do is to open up this file in Wireshark. Once this file is open, we can see that we indeed have a Telnet session, from which we need to extract the key. This should be trivial, since Telnet does not encrypt data (including authentication credentials). This means that if we intercept Telnet traffic, we can harvest credentials with ease.

To do this, we can right-click on a packet in the session, and select 'Follow TCP Stream.' This is a feature of Wireshark that allows us to easily see all of the data that corresponds to a particular session.

Once we choose to follow the TCP steam, we immediately see the flag, which is the password used to establish the Telnet session:

Piece of cake!

Key: welcome to 1969

Networking 200 - lemieux.pcap

For this challenge, we play the role of a friend of some person who wants to gain access to a party. Our friend says that he/she knows someone who created an invitation for a party, but is really strict about who gets in. Our challenge is to find the password used to be let in to the party from the given pcap file.

We start this challenge the same way we started Networking 100 - by opening up the provided pcap in Wireshark. We can see that this looks like a typical capture file of someone browsing the web, with multiple HTTP sessions listed. We can use the 'http' filter to help clean up the listed packets to only include those using the HTTP protocol.

From here we can start looking through the packet capture, and we start seeing requests to http://taproom307.com/. By visiting this site, we can see a link to 'Book a Party,' suggesting this may be the best way to proceed looking at the capture file. We can also guess that we are looking for a POST request, since the individual likely POSTed a form to book the party.

After some digging we finally come across this request which, after analyzing the data sent, shows us the password to attend the party.

Key: brooklyn beat box

That's all there is to it for these first two Networking challenges. Here are links to blog posts that write up the solutions to the other two challenges - Networking 300 and Networking 400:

Monday, October 1, 2012

As mentioned in the previous post, the CSAW CTF also had a Trivia section of challenges, with each solution worth 100 points. Each of these could be found with a little Google-fu and some work if needed. Here are the solutions to the Trivia challenges:

Trivia 1 - What is the first step in owning a target?

The answer to this one should be obvious to pentesters, as RECON is the first step in owning a target (you need information to work with). Also, one could possibly see the 'Recon' challenges listed under the Trivia section and assume that, which would work also.

Key: recon

Trivia 2 - What is the name of Google's dynamic malware analysis tool for Android applications?

I knew the answer to this one already since I had previously seen slides of a talk given by Charlie Miller and Jon Oberheide on exploiting the tool named Bouncer.

Key: Bouncer

Trivia 3 - What is the x86 opcode for and al, 0x24? Put your answer in the form 0xFFFF.

Since I don't have my x86 opcodes memorized, it was time to find a resource. This one served my purpose well. We can see that the and instruction called with al and an imm. value (constant) is 0x24. Therefore, the key to this is 0x2424, as the constant is listed after the first byte in the opcode.

Key: 0x2424

Trivia 4 - Who was the first security researcher to publish the DEP bypass that utilized WriteProcessMemory()?

A bit of Googling led me to this paper, written by Spencer Pratt, which is the answer.

Key: Spencer Pratt

Trivia 5 - What is the name of Microsoft's distributed fuzzing system that utilizes automated debugging, taint analysis, model building, and constaint solving?

This one was the most difficult for me to find, partly because I kept getting hung up trying keys related to 'BlueHat'. It made sense to me, a community driven (distributed) system revolving around those topics. However, this wasn't the answer. After some more research, I found this article, which turned out to be the answer.

Key: SAGE

As mentioned, these challenges were all easily obtainable with a little research. I think these were meant to give new CTF-goers (like me!) the chance to quickly gain points and build confidence, which is a great idea.